How Secure Are Your Documents In Google Drive?

I use Google Drive every day. While Word is still my go-to for writing, Drive is my home base for storing documents and cataloging the test results I collect while reviewing computer hardware. There are literally thousands of documents in my drive, and I take it for granted that they’ll be available whenever I need them.

Is that wise? Or is Google Drive’s security not as robust as it may seem? Recent events, including NSA spying and an incredibly convincing phishing scam, have some users worried. Here’s what you need to know about Drive’s security.

Terms Of Service

Security threats don’t always come from outside an organization. Google is a huge company, and it’s worth asking whether it can be trusted to keep data in Drive private.

The answer, according to the terms of service, appears to be “yes.” Google says it does not use Drive data for marketing purposes, which means the company isn’t using what you upload to create a marketing profile of you.

While Google claims “a worldwide license to use, host, store, reproduce, modify, create derivative works” from your data, this clause is only meant to give Google permission to offer services like Google Translate, which technically creates a derivative work. The paragraph preceding this section says “You retain ownership of any intellectual property rights that you hold” and “what belongs to you stays yours.”

There’s no boogeyman in the ToS, but remember; Google does have to comply with each country in which it operates. If a law enforcement agency can produce a legally sound reason to access your data, Google has no choice but to comply. This won’t matter to most people most of the time, but folks who believe a government may have reason to try and access their data would do well to remember it.

Only As Secure As Your Google Account

Drive is a service offered by Google, so that of course means it is tied to your Google account. This may prove to be a problem for people who are concerned with their security. If anyone gains access to your Google account, they have access to what’s in Drive, too.

Let’s say, for example, you leave your Gmail account logged in on your PC and forget to lock Windows when you go to lunch. People do this all the time, and it gives anyone who wanders by access to not only your email but also Drive – and anything else you do through Google. Drive does not automatically log users out after a period of inactivity, something a highly secure service would do.

To Google’s credit, though, the company does offer two-factor authentication and provides login information that lets you see if any recent logins came from an unusual location or occurred at an unusual time. You can also print out a code sheet that can be used to regain access to your account if someone swipes your password, logs in, and then changes the password to something you don’t know.

While nothing is ever 100% secure, a Google account secured by two-factor authentication is sufficient for most users. Provided they remember to log out when not using their PC, of course.

Tricky Phishing

Still, there are some attacks that can be particularly devious. A recent example involved a phishing attack that used a document hosted on Google Drive to trick users. Because the document was hosted on Drive, the URL did not seem suspicious and was served over SSL, making victims more likely to think it was legitimate. The fake page presented a convincing recreation of Google’s login page, and anyone who entered their email and password had the data sent to a compromised server.

This attack, though clever, doesn’t reflect any particular weakness in Google Drive. Instead it exposes the obvious, but often forgotten, downside to any cloud storage service; your data is no longer physically in your possession. Your data is hosted somewhere else, and you can only access it through a computer with Internet access. This presents many opportunities for tricks that compromise your account by stealing your login and password.

Locally hosted files, on the other hand, can only be stolen if a Trojan is installed on your PC or someone gains physical access to your hardware. Phishing attacks, hacked servers and compromised WiFi aren’t a concern for people who don’t host their data in the cloud.

Conclusion: Is Drive Secure?

I think a Google Drive account protected by two-factor authentication and a strong password is reasonably secure. That’s not the same as invulnerable, but it does mean anyone who wants the data in your Drive would have to use extraordinary measures to gain it. Most of us don’t host particularly sensitive information on Drive, and hackers probably aren’t going to use a previously unknown exploit to steal a collection of haiku inspired by condiments (or whatever else you have in your squirreled away).

On the other hand, Drive is not secure enough for users who store valuable or sensitive information. You shouldn’t host all your financial records in Drive, or use it to store your world-famous secret BBQ recipe, or use it to store photos from your last trip to the Adult Entertainment Expo. Drive is vulnerable to the tricks that can impact any online account and can also be compromised simply by forgetting to log out.

What do you think of Google Drive’s security? Is it sufficient, or could Google do more? Sound off in the comments.

Get the best tips from MakeUseOf in your inbox, free!

Michael

April 3, 2014

Between the two-step verification and Google using HTTPS on all of it’s services, I’d say it’s more secure than most. By forcing unknown locations to require a password and a code sent to your phone, you’re pretty set. As for other techniques of acquiring your info, not only does Google use HTTPS, but if you also use a VPN service like Hotspot Sheild, as I do, then you’re in even better shape. I’ve been a Google power user for the past 5 – 6 years and I think they’re doing a pretty solid job when it comes to securing your information.

Danielx386

April 5, 2014

But then there nothing to stop google from looking at your stuff like drop box does

rk

April 9, 2014

I am no tech guru but SSL is now under scrutiny after a bug was found. It’s being patched in a jiffy I am told but what other bugs are lurking to be discovered? I had to view something on google drive for the first time yesterday and I must’ve been living under the rock. I found it (at first glance/usage) a bit cumbersome and videos were super slow although they were only a min long videos!

KB

April 3, 2014

I find it hard to trust TOS, especially from American-based companies. In light of the NSA and subpoenas from the secret court, companies could NOT disclose information about the governments requests into user data (and I’m guessing much much more). I would much rather trust my data to an end-to-end encryption service like mega, or perhaps use an encryption-application to encrypt the data before it hits my Google drive.

Ed

April 3, 2014

I only store stuff in Drive or any cloud storage that I wouldn’t mind printing out and letting it sit on an open desk.. If it needs to be private or secure, it’s not going in anybody’s cloud service. That’s just me.

Bram

Terence @ eStrategyPro.com

April 3, 2014

Google Drive may be ‘secure’ in the sense that
(1) they provide good authentication control (e.g. two-factor login) and
(2) that your files in transit to and fro their servers are encrypted (i.e. TLS/SSL)
(3) that your files at rest in their servers are encrypted

But these points also apply to every other cloud storage provides (e.g. DropBox, OneDrive, Box, etc).

But the more crucial question is this: are your files PRIVATE?

No matter how much security Google employs, this fact remains: GOOGLE CAN SEE EVERYTHING YOU STORE THERE! And that, by extension, means that Google has to comply with whatever legal obligation to turn over your files to the authorities when compelled. In fact, this applies to almost every cloud storage providers.

If you want security and privacy, then the only way is to encrypt your files PRIOR to uploading to any cloud storage providers. And make sure you keep the encryption keys secret to yourself only.

mark

December 27, 2014

Google does not look at files without a damn good reason period. No file can be looked at without high level authorization and any Google employee that peeks at a file without authorization is gone. If a government request access then they need to follow every little legal procedure to get it. So if you are a crook then the cloud migh not be for you but everyone else is safe.

james

Its actually easier for law enforcement to enter your home and take your computer than it is for them to subpoena your docs on drive. Its more secure than your laptop.

dragonmouth

April 4, 2014

They still need a search warrant or a subpoena to enter your house, or your explicit permission.

James

April 4, 2014

At your house it is most likely there is no lawyer who can determine if the request is too broad or challenge it should it be mistargeted. Google on the other hand fights these regularly, for free.

Matt S

April 4, 2014

I think this is a good point. While the NSA stuff is troubling, I think it’s wrong to think less of Google or Microsoft because of it. Ultimately they have to follow the law. The problem is the law, not the companies.

Mark M

April 4, 2014

Given the growing popularity/use of cloud-based storage, I believe that it’s overall security will only get stronger. Companies like Google, AWS, OneDrive, DropBox etc. will develop to better suit the needs/concerns of the average “every-day” user. This will bode well for both the host and the user. I’m just beginning to get comfortable with using cloud storage for my documents, spread-sheets, pics & vids and even purchase receipts, I think most folks are beginning to accept this as well. Only the future will tell of the overall security of this venture, as for now, the “privacy” of your information is becoming more of a concern than the security of it.

dragonmouth

April 4, 2014

Security is not something to be comfortable with, or about because that is when you start losing it. New threats arise constantly.

dragonmouth

April 4, 2014

“There’s no boogeyman in the ToS”
No, the boogie man is in the law offices of the firm(s) representing Google, and in the interpretation of ToS by those lawyers. If Google decides that it wants to sell your documents to a third party, I’m sure the lawyers can find ways of justifying it.

Yes, the documents are secure, and will become more so in the future, from hacking. But as you say, “Security threats don’t always come from outside an organization”

Petew

Guy M

April 4, 2014

Once people accept the fact that there is no such thing as perfect security, they need to determine what is acceptable security for them and their documents.
For most people and most information, I believe the security of Google Drive is acceptable. If they encrypt before they upload, then even more so.
The least I can say is that I find it acceptable for me and the documents I store there.
Really liked the article!

Jenni

April 4, 2014

I don’t like to use any cloud service for very private information, as Al C stated too. Also, I have had discussions with my work place because we are using the cloud for our new whole employee database (indirectly) and yet our privacy processes and documentation have not caught up with it yet. Few have any real idea of what / where information is being stored now. The information that I provided to them has been put away for ‘later’.

Robert Wm Ruedisueli

April 5, 2014

For particularly sensitive documents, you can use an encryption program prior to upload. Of course, this eliminates the ability for online viewing and editing. Thus, you probably should reserve this measure for things that absolutely must be kept secret.

Jo-anne P

Emma

April 5, 2014

The sensitive info on your terabyte hard disks is what your governments are trying to get at eventually. But for now their agents can test “cloud services” untll the time when hard-diskless computers will be standard by law in the name of “security”. Everyone will only save on the cloud services provided by your governements.
For now enjoy your limited freedoms

Julio C

Daniel E

April 6, 2014

<quote>
You can also print out a code sheet that can be used to regain access to your account if someone swipes your password, logs in, and then changes the password to something you don’t know.
</quote>

Eh? The code sheet I’m familiar with is the substitute for SMS or Google Authenticator. That is, if you don’t have your phone with you, you can use the code in that code sheet for the second step of the authentication.

Carla

March 22, 2015

I have absolutely EVERYthing on my google drive. I have a chromebook, thus have to use google drive. I upload everything there, even work documents. I’ve done this for years until……..something strange happened last night…… I logged in and it appears all my files are encrypted by a third party that is asking me to pay $500 to view my own documents (BitCoin). Please help me! I don’t know how I can get my stuff back. These are my own documents that I have created. PLEASE help ME!